Overview of the Guideline on Special Categories of Personal Data by the Turkish Data Protection Authority

12.03.2025

Contents

The Turkish Personal Data Protection Authority (“Authority”) published the Guideline on the Processing of Special Categories of Personal Data[1] (“Guideline”) on 26.02.2025. According to the Law on the Protection of Personal Data No. 6698 (“Law”), personal data related to race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other beliefs, appearance, membership in associations, foundations or trade unions, health data, sexual life, criminal convictions and security measures, as well as biometric and genetic data, are considered special categories of personal data. The conditions for processing such data are regulated in detail under the Law.

The Guideline states that the conditions for processing special categories of personal data were previously divided into “data relating to health and sexual life” and “other special categories of personal data.” This distinction has now been removed, and new processing conditions have been introduced. While new conditions have been set, the existing categories of special categories of personal data remain unchanged. Furthermore, the legislator has explicitly clarified that the scope of special categories of personal data cannot be expanded through analogy. As part of these amendments, the Authority has prepared the Guideline to assist data controllers in managing compliance processes and fulfilling their obligations.

Special Categories of Personal Data

The Guideline provides comprehensive explanations for each type of special category of personal data. For example, data on race and ethnic origin are defined, with references to decisions by the European Court of Human Rights (“ECHR”). Additionally, the question of whether “nationality” falls within this scope—a frequent issue in practice—is addressed, clarifying that nationality is not included in the limited list of special categories of personal data. Each category includes useful examples, references to ECHR decisions, and comparisons with the General Data Protection Regulation. The opinions of the Court of Cassation and the Council of State regarding the application of Turkish law are also included.

Conditions for Processing Special Categories of Personal Data

As previously mentioned, the distinction between personal data relating to health and sexual life and other special categories of personal data has been eliminated under the amendments to the Law. The processing conditions have been revised to apply uniformly to all special categories of personal data, with additional conditions introduced. Most notably, it is now recognized that there is no hierarchical difference between explicit consent and other processing conditions. The provision stating that special categories of personal data cannot be processed without explicit consent has been removed.

The Guideline explains that the amendments to the Law establish clearer and more comprehensible processing conditions with well-defined boundaries, facilitating better protection of personal data while simplifying compliance for both data subjects and data controllers. It also emphasizes that the processing conditions outlined in the Guideline should be assessed alongside the general principles set out in Article 4 of the Law to ensure legal integrity.

Each processing requirement is detailed with examples in the Guideline. For instance, it states that "blood type" information on a driver's license can only be processed in emergency situations and in line with the individual's intention to make it public. Processing data contrary to this intention would not be considered lawful. Another example highlights that processing special categories of personal data to fulfil an employer’s obligation to maintain an employee’s personnel file under Article 75 of the Labor Law No. 4857 falls under the processing condition of “being mandatory for the fulfilment of legal obligations in employment, occupational health and safety, social security, social services, and social assistance.”

Additionally, the terms “mandatory” and “necessary” in the relevant subparagraphs of Article 6 of the Law were deliberately chosen, and their meanings have been emphasized in the Guideline.

Actions Data Controllers Must Take to Ensure Compliance with the Law

The Guideline outlines the steps data controllers must take to ensure compliance following the recent amendments to the Law. These steps include updating the personal data processing inventory, revising procedures for obtaining explicit consent, amending privacy notices, updating data storage and disposal policies, and implementing appropriate data security measures.

1. Revision and Update of the Personal Data Processing Inventory

Under the Regulation on the Data Controllers’ Registry, data controllers must register with the Data Controllers’ Registry (“VERBIS”) and maintain a personal data processing inventory. Following the amendments to Article 6 of the Law, data controllers must identify any changes in their data processing activities, determine the personal data they process within their business processes, and document the legal basis for processing special categories of personal data in their inventory.

Additionally, as stipulated in Article 13 of this Regulation, any changes in the information registered in VERBIS must be reported within seven days. Therefore, personal data processing inventories should be regularly reviewed and updated to reflect the current status of data processing activities.

The amendments to Article 6 of the Law have expanded the conditions for processing special categories of personal data. Previously, such data could only be processed based on the data subject’s explicit consent, but additional legal grounds now allow processing under specific conditions. Data controllers must carefully monitor and adapt to these changes in their compliance processes. If processing will no longer rely on explicit consent, existing explicit consent texts should be updated accordingly, and data subjects must be informed of these changes and their implications.

As the legal basis for processing personal data must be clearly stated in privacy notices, any changes to the processing conditions of special categories of personal data must be reflected in these notices.

The Guideline emphasizes that after updating privacy notices, data subjects must be notified. It also clarifies that simply posting an updated privacy notice on a website is insufficient; data subjects must be directly informed to ensure awareness of the updates.

4. Updating the Data Storage and Disposal Policy

Data controllers registered with VERBIS must prepare a personal data storage and disposal policy aligned with their personal data processing inventory. Following the amendments to the Law, these policies must be reviewed and revised. If the legal basis for processing special categories of personal data changes, storage and disposal policies must be updated to ensure such data is not retained longer than necessary.

5. Ensuring the Implementation of Appropriate Data Security Measures

Data controllers and processors must implement necessary technical and administrative measures to protect personal data. This includes assessing the types of data processed and associated risks and implementing additional safeguards for special categories of personal data.

Particularly, those processing special categories of personal data must comply with the Personal Data Protection Board’s decision dated 31.01.2018 and numbered 2018/10 regarding “Adequate Measures to be Taken by Data Controllers in the Processing of Special Categories of Personal Data”[2] and the Guideline on Personal Data Security (Technical and Administrative Measures)[3].

Conclusion

This Guideline is among the most comprehensive issued to date, offering significant insights for implementation. Data controllers and processors handling special categories of personal data must review it carefully. It is also emphasized that the Board will continue to assess the lawfulness of processing special categories of personal data on a case-by-case basis.


References

[1] Guideline on the Processing of Special Categories of Personal Data (Only in Turkish). (2025, February 26). Retrieved from Personal Data Protection Authority: https://kvkk.gov.tr/SharedFolderServer/CMSFiles/70f95c73-06a2-44dc-81e9-34201bdd7f5c.pdf

[2] Personal Data Protection Board’s decision numbered 2018/10 regarding “Adequate Measures to be Taken by Data Controllers in the Processing of Special Categories of Personal Data”. (2018, January 31). Retrieved from Personal Data Protection Authority: https://kvkk.gov.tr/Icerik/4110/2018-10

[3] Guideline on Personal Data Security (Technical and Administrative Measures) (Only in Turkish). (2018, January). Retrieved from Personal Data Protection Authority: https://kvkk.gov.tr/SharedFolderServer/CMSFiles/7512d0d4-f345-41cb-bc5b-8d5cf125e3a1.pdf

This website is available “as is. Turkish Law Blog is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this website, and in no event shall they be liable for any loss or damages.

The content and materials published on this website are provided for informational purposes only and should not be used as a legal opinion in any way. This website and the information contained are not intended to establish an attorney-client relationship.
th
Ready to stay ahead of the curve?
Share your interest anonymously and let us guide you through the informative articles on the hottest legal topics.
|
Successful Your message has been sent